Hackers behind United States’ worst cyber attack leveraged reseller access to Microsoft Corp services to penetrate into targets, investigators found. Hackers won access to the vendor – SolarWinds’ Orion software that sold Office licenses.
Many Microsoft software licenses are sold through third parties, and those companies can have near-constant access to clients’ systems as the customers add products or employees. Microsoft on Thursday said that those customers need to be extra vigilant.
“Our investigation of recent attacks has found incidents involving abuse of credentials to gain access, which can come in several forms,” said Microsoft senior Director Jeff Jones. “We have not identified any vulnerabilities or compromise of Microsoft product or cloud services.”
The use of a Microsoft reseller to try to break into a top digital defense company raises new questions about how many avenues the hackers, whom U.S. officials have alleged are operating on behalf of the Russian government, have at their disposal.
The known victims so far include CrowdStrike security, FireEye Inc and the U.S. Departments of Defense, State, Commerce, Treasury, and Homeland Security. Other big companies, including Microsoft and Cisco Systems Inc, said they found tainted SolarWinds software internally but had not found signs that the hackers used it to range widely on their networks.
Until now, Texas-based SolarWinds was the only publicly confirmed channel for the initial break-ins, although officials have been warning for days that the hackers had other ways in.
Microsoft requires its vendors to have access to client systems in order to install products and allow new users. But discovering which vendors still have access rights at any given time is so hard that CrowdStrike developed and released an auditing tool to do that.
After a series of other breaches through cloud providers, including a major set of attacks attributed to Chinese government-backed hackers and known as CloudHopper, Microsoft this year imposed new controls on its resellers, including requirements for multi factor authentication.
Also SolarWinds on Thursday released an update to fix the vulnerabilities in its flagship network management software Orion following the discovery of a second set of hackers that had targeted the company’s products.
Microsoft in a blog post on Friday said that SolarWinds had its software targeted by Russian hackers and a second unrelated group of hackers.
The identity of the second set of hackers, or the degree to which they may have successfully broken in anywhere, remains unclear.
Russia has denied having any role in the hacking.